[PATCH v2 2/6] efi_loader: correct determination of secure boot state
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Thu Aug 26 15:48:01 CEST 2021
When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.
* If a platform key PK is present and DeployedMode=1, we are in deployed
mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
---
v2:
no change
---
lib/efi_loader/efi_var_common.c | 39 ++++++++++++++++++++++++++-------
1 file changed, 31 insertions(+), 8 deletions(-)
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index 654ce81f9d..cf7afecd60 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -315,20 +315,43 @@ err:
efi_status_t efi_init_secure_state(void)
{
static bool lock;
- enum efi_secure_mode mode = EFI_MODE_SETUP;
+ enum efi_secure_mode mode;
u8 efi_vendor_keys = 0;
- efi_uintn_t size = 0;
+ efi_uintn_t size;
efi_status_t ret;
if (lock)
return EFI_SUCCESS;
-
- ret = efi_get_variable_int(L"PK", &efi_global_variable_guid,
- NULL, &size, NULL, NULL);
- if (ret == EFI_BUFFER_TOO_SMALL) {
- if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
- mode = EFI_MODE_USER;
+ u8 deployed_mode = 0;
+ u8 audit_mode = 0;
+ u8 setup_mode = 1;
+
+ if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
+ size = sizeof(deployed_mode);
+ ret = efi_get_variable_int(u"DeployedMode", &efi_global_variable_guid,
+ NULL, &size, &deployed_mode, NULL);
+ size = sizeof(audit_mode);
+ ret = efi_get_variable_int(u"AuditMode", &efi_global_variable_guid,
+ NULL, &size, &audit_mode, NULL);
+ size = 0;
+ ret = efi_get_variable_int(u"PK", &efi_global_variable_guid,
+ NULL, &size, NULL, NULL);
+ if (ret == EFI_BUFFER_TOO_SMALL) {
+ setup_mode = 0;
+ audit_mode = 0;
+ } else {
+ setup_mode = 1;
+ deployed_mode = 0;
+ }
}
+ if (deployed_mode)
+ mode = EFI_MODE_DEPLOYED;
+ else if (audit_mode)
+ mode = EFI_MODE_AUDIT;
+ else if (setup_mode)
+ mode = EFI_MODE_SETUP;
+ else
+ mode = EFI_MODE_USER;
lock = true;
ret = efi_transfer_secure_state(mode);
--
2.30.2
More information about the U-Boot
mailing list